This site uses different types of cookies, including analytics and functional cookies (its own and from other sites). To change your cookie settings or find out more, click here. If you continue browsing our website, you accept these cookies.
Error "Access Denied in Gallery after enabling SAML Authentication:
There was an error logging into the external provider. The error message is: access_denied
One of the possible causes will be found within the aas.log file on the Alteryx server. You will see the following error:
"Sustainsys.Saml2.Exception.InvalidsignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted
When SAML Authentication is enabled, the aas.log files will be stored in C:/ProgramData/Alteryx/Logs and will show the authentication attempts for Gallery between the IDP (in this case Azure) and the Alteryx Server. These logs and the particular error will look like the following:
The client is using the Azure App Federation Metadata URL when setting up SAML in the Alteryx Server Settings. Azure SAML configuration can be found here .
The SAML Library on the Azure environment is not configured correctly to accept the certificate through the Metadata URL.
Azure recognizes the x.509 certificate, but does not trust it because the certificate is not approved.
Setup the Alteryx Server Settings SAML IDP Configuration to use the x509 Certificate and IDP SSO URL
Download the Base64 Certificate manually from Azure (or other IDP) - this can be found in Step 3 SAML Signing Certificaate of the Single Sign On Configuration.
In the Alteryx Server Settings, Select the Radio Button for X509 Certificate and IDP SSO URL and enter in the IDP SSO URL and paste the x509 Certificate. The IDP SSO URL is the Azure Login URL.
Save the Alteryx Settings to confirm, and you are finished! Attempt to login to the gallery.
If the x509 certificate is ever updated on the IDP side, this process will need to be repeated to restore functionality. It would be best to fix the SAML Library so the metadata URL trusts the certificate assigned to the Gallery application. This will need to be done by the Azure Administrator.
For more information on how to configure Azure SAML 2.0 please see this page